6 matches found
CVE-2026-57960 Hi.Events 1.9.0 - Unauthenticated Attendee PII Exposure via Check-in List short_id
Hi.Events through 1.9.0 public check-in list endpoints use shortid as sole access control, allowing unauthenticated access to retrieve full attendee lists including emails and personal information. Attackers with knowledge of the shortid can call GET /api/public/check-in-lists/shortid/attendees t...
EUVD-2026-40144
Hi.Events through 1.9.0 contains a promo code validation vulnerability where reservation validates usage count before asynchronous UpdateEventStatisticsJob increments it, allowing attackers to redeem limited promo codes unlimited times. Attackers can sequentially reserve multiple orders with the...
CVE-2026-57959 Hi.Events 1.9.0 - Promo Code Max-Usage Bypass via Asynchronous Job Race Condition
Hi.Events through 1.9.0 contains a promo code validation vulnerability where reservation validates usage count before asynchronous UpdateEventStatisticsJob increments it, allowing attackers to redeem limited promo codes unlimited times. Attackers can sequentially reserve multiple orders with the...
CVE-2026-34455
Hi.Events is an open-source event management and ticket selling platform. From version 0.8.0-beta.1 to before version 1.7.1-beta, multiple repository classes pass the user-supplied sortby query parameter directly to Eloquent's orderBy without validation, enabling SQL injection. The application us...
CVE-2026-34455
Hi.Events is affected by an SQL injection in which multiple repository classes pass the user-supplied sort_by parameter directly to Eloquent's orderBy() without validation (affecting versions 0.8.0-beta.1 up to before 1.7.1-beta). The underlying issue is the lack of input validation for sort_by, ...
CVE-2026-34455 Hi.Events: SQL Injection via Unvalidated sort_by Query Parameter in Multiple Repository Classes
Hi.Events is an open-source event management and ticket selling platform. From version 0.8.0-beta.1 to before version 1.7.1-beta, multiple repository classes pass the user-supplied sortby query parameter directly to Eloquent's orderBy without validation, enabling SQL injection. The application us...